A brief guide to follow up
You should follow up the actions agreed by management to ensure both that they’re implemented correctly in the timescale agreed, and that the actions undertaken have effectively mitigated the risk identified.
The work of internal audit fails to improve the internal control, risk and governance arrangements if areas it identifies for improvement are not carried through by management.
Audit committee and senior management require assurance that the agreed actions within internal audit reports have been implemented correctly in the timescales originally offered by management, and that controls are managing risk more effectively.
To inform this process and provide the necessary assurance, internal audit should undertake follow up work. The approach and frequency to this will vary by organisation and the internal audit team should agree a follow up protocol with management.
This protocol should consider:
- if you will use report recommendations or management actions or both
- how you should deal with partial implementation or work in progress
- the escalation process for actions not cleared by the agreed date
- whether you will follow up all recommendations or only those of a particular category or a percentage of actions
- how to report actions that have been completed, but where internal audit still needs to confirm this by undertaking testing over a period of time
- who in internal audit can clear the action and whether quality review is needed
Approaches to follow up
There are three main approaches to follow up and clearing actions:
- issue by issue as the due date arrives and internal audit is notified of completion
- by undertaking a follow up audit based upon internal audit’s record of recommendations
- by providing assurance over management’s own tracking and reporting of progress to the audit committee
The first approach is timelier and aids continuous reporting to the audit committee but presents a challenge in terms of managing defined internal audit resources and making these available as and when completion is notified.
The second is the more traditional approach and tends to be performed at agreed frequencies. This aids resource planning but is resource intensive and provides a less timely picture of implementation.
The third and preferred option reflects and reinforces the fact that the agreed actions are indeed for management to implement. It puts the monitoring and reporting of progress in management’s court and makes the most efficient use of defined internal audit resources.
The role of internal audit becomes one of assurance over the accuracy and completeness of reporting by management to the audit committee. It is undertaken at agreed frequencies with internal audit providing opinion to the audit committee over the reliance which may be placed upon management’s reporting.
If positive assurance cannot be provided to the audit committee then it is likely that internal audit will need to revert to one of the other approaches and work with management to improve their monitoring in the interim until such time as management’s own systems are robust.
To ensure the action is implemented correctly, internal audit cannot rely on management informing it that this is the case. Internal audit must obtain suitable evidence to confirm this and, where relevant, undertake testing to ensure it is operating effectively.
It is critical not just to ensure the action is complete, but that it has effectively mitigated risk to an acceptable level. The quality and effectiveness of the action must be reviewed.
Reporting of progress on outstanding actions is vital to both the audit committee and senior management. This should be both statistical and highlight areas of specific concern and trends.
It should include:
- actions implemented
- missed dates and revised dates (particularly if repeatedly revised)
- actions followed up and cleared by internal audit
- statistical analysis of status to enable monitoring and achievement of any targets
Who owns this progress reporting will depend upon the approach to follow up adopted above.
IIA IPPF Standard 2500 - monitoring
IIA IPPF Standard 2600 - acceptance of risk